Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security...

25
Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP [email protected] SqlServerBiBlog.com

Transcript of Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security...

Page 1: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Security Essentials for

SQL Server 2008 R2

& SharePoint 2010 BI

Paul Turley

Mentor, SQL Server MVP

[email protected]

SqlServerBiBlog.com

Page 2: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Authentication Boundaries

IE

Process

Identity

Internet

Explorer

Windows

User

Login

IIS

SharePoint

Reporting

Services Analysis

Services

(Data

Source)

Server A Server B Server C

SharePoint

Secured Resources

Reports

Shared

Data

Sources

SSAS

Role-

based

Security

App Pools

Windows

Auth

Token

Claims

Token

Windows

Auth

Token

Windows

Auth

Token

Multiple

“hop”

Authen-

tication

Page 3: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Service Accounts & Delegation

Internet

Explorer

Windows

User

Login

IIS

SharePoint

Reporting

Services Analysis

Services

(Data

Source)

Server A Server B Server C

SvcAcct

_SP

can

delagate

to…

SvcAcct

_RS

can

delagate

to…

SvcAcct

_AS

SharePoint

Request

Report

Request

AS

Connection

Request

Connection

Granted

Page 4: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Configuration Steps

• Plan hardware & services architecture

• Plan service account assignments

• Create accounts

• Configure Claims to Windows Token Service

• Add service principal names

• Configure delegation

• Add data sources

Page 5: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Kerberos & Constrained

Delegation

• Configuring Kerberos is uncomplicated if you get

it right the first time

• Make checklist and validate each step

• T A K E Y O U R T I M E

• Troubleshooting & fixing can be more

complicated than starting over

Page 6: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Services & Principals

• SharePoint

• SQL Server

• Analysis Services

• PowerPivot for SharePoint

• Excel Services

• Reporting Services

• Claims-to-Windows Token Service

Page 7: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Demonstration

• Introduce server environment

• Services running on each server:

• Domain controller

• SQL Server

• Analysis server (on SQL server in demo)

• SharePoint farm server

• Report server (SP, SSRS & PowerPivot in demo)

• Windows client

Page 8: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Create Domain Service Accounts

• Each service will impersonate a user with another

service

• One principal for each service or app pool

(production)

• Consolidate (for dev/demo environments)

Page 9: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Service Principal Names

• Syntax:

setspn –S <service name> <principal name>

• Set a SPN for both the principal fully-qualified &

NetBIOS name

Page 10: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Service Names for SPNs

SharePoint http/<hostname>

SQL Server (relational) mssqlservice/<server>:1433

Analysis Services msolapsvc.3/<server>

Reporting Services sp/reportservice

PerformancePoint sp/performancepointservice

Excel Services sp/exelservices

PowerPivot sp/powerpivotservice

Claims to Win Token Svc sp/claimstowindowstokenservice

Page 11: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Demonstration

• Create domain managed service accounts

• Create service principal names

• Validate SPNs

Page 12: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Configuring Claims to Windows

Token Service

• Runs on every machine running a SharePoint managed

service

• Uses local service account by default

• Change to run as a domain account in the local

administrator group

• Set local policies:

• Act as part of

the operating system

• Impersonate a client

after authentication

• Log on as a service

Page 13: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Demonstration

• Check Claims to Windows Token Service in

SharePoint server

• Set local security policies

Page 14: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Delegation Options

Basic

Delegation Not supported in

most SQL Server

2012 scenarios

Constrained

Delegation Recommended

• Claims

• Kerberos

• NTLM

Page 15: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Constrained Delegation

• Tells OS to trust user for delegation to a list of

specific services

• After SPN created, shows Delegation tab on AD

User dialog

Page 16: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Demonstration

• Configure constrained delegation

• Verify SPNs with Delegation tab

• Delegate services in the reference chain

• Assign service accounts to each service

• Restart all services

Page 17: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Troubleshooting

• Watch out for caching

• Changes may not be applied right away

• Error conditions may persist

• No silver bullet method to clear cached settings

• Reboot after changes (if no effect)

• Use SQL Server Profiler trace to check for account

names & connection events

Page 18: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Installing Servers & Software

• SQL Server 2008 R2 or 2012

• Relational instance

• Reporting Services integrated mode

• SharePoint Server 2010 Enterprise

• Software prerequisites (lots of prerequisites - read carefully & follow directions)

• SharePoint 2010 Service Pack 1

• Don’t run farm configuration if planning PowerPivot

• PowerPivot for SharePoint Configuration Tool

• Central Administration Product Wizard

Page 19: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Connection Options

BISM Connection file

• Simple

• Specialized

RSDS report connection • Flexible

Page 20: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

BISM Connection File

• Only connects to a tabular data source

• Use the URL for a .bism file in a connection string

in place of the server name for any SSAS client

• Uses EffectiveUserName

Page 21: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

RSDS Connections

• Natively used by Reporting Services

• Can be used by Power View

• Credential options:

• Windows authentication

• Prompt for credentials

o not supported by Power View

• Stored Credentials

o Always check Use Windows credentials for SSAS sources

o Set execution context (passes user name in EffectiveUserName

property)

Page 22: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Connection to SSAS with a BISM

Connection File

Attempt to

connect using

Kerberos

Fail

Succeed

Connect using

SSRS app pool

identity as

EffectiveUserName

SSAS connection

string property

Connect

User is an

SSAS

administrator?

Yes Fail

Page 23: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Demonstration

• Open SQL Server Profiler & start trace

• Navigate SharePoint site

• Explain service interaction, token-passing &

delegation

• Analyze trace & observe delegated connections

Page 24: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

The Comprehensive Reference

• SQLCAT.com

• 244 pages

of pure bliss

Page 25: Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI · 2011-12-22 · Security Essentials for SQL Server 2008 R2 & SharePoint 2010 BI Paul Turley Mentor, SQL Server MVP

Thank You

Resources

Contact Paul [email protected]

My Blog SqlServerBiBlog.com

White Papers & Articles SQLCAT.com

SolidQ.com/journal